Permissions-Policy Analyzer Guide
Use this guide to understand Permissions-Policy, identify wildcard or missing sensitive-feature controls, and tighten browser-side access safely.
Overview
Permissions-Policy tells browsers which powerful features a document may use. It complements CSP by limiting camera, microphone, geolocation, payment, USB, and similar APIs.
What to review first
- Presence: Confirm Permissions-Policy or legacy Feature-Policy is published on HTML responses.
- Sensitive defaults: Disable camera, microphone, and geolocation unless a page truly needs them.
- Wildcards: Replace wildcard allowances with explicit origins or empty allowlists.
Sensitive features to restrict
| Feature | Risk | Recommended default |
|---|---|---|
| camera | Drive-by capture abuse | camera=() |
| microphone | Audio capture abuse | microphone=() |
| geolocation | Location tracking | geolocation=() |
| payment | Unexpected payment UI | payment=(self) or payment=() |
Baseline policy
Restrictive baseline
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=()Recommended Remediation Flow
- Publish a baseline Start with empty allowlists for unused sensitive features.
- Allow only required origins Add explicit origins for embeds that truly need a feature.
- Retest affected pages Confirm legitimate flows still work after tightening the policy.
Troubleshooting Common Issues
Feature still works after deny
Another frame or inherited policy may still allow it.
- Check nested iframes.
- Review Feature-Policy legacy fallbacks.
- Confirm the response you tested is the live HTML document.
Validation Checklist
Post-fix validation
- Permissions-Policy is present.
- Sensitive features are explicitly restricted.
- No wildcard allowances remain on high-risk features.
FAQ
Feature-Policy vs Permissions-Policy
Browsers prefer Permissions-Policy.
- Feature-Policy is legacy.
- Use Permissions-Policy for new deployments.
- Some scanners still report both names.